Advisories for Npm/Hoek package

hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the proto property.